commit: c1cf5db371b24eaaed3fbb1f8eaf713f371a61fa Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org> AuthorDate: Sat Aug 23 11:35:51 2014 +0000 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> CommitDate: Tue Aug 26 14:52:10 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c1cf5db3
Label (/var)?/tmp/systemd-private-.../tmp like /tmp Such directories are used by systemd as private mountpoints for services. --- policy/modules/kernel/files.fc | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index 1a83f34..3c61990 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -191,6 +191,10 @@ ifdef(`distro_debian',` /tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /tmp/lost\+found/.* <<none>> +/tmp/systemd-private-[^/]+ -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) +/tmp/systemd-private-[^/]+/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) +/tmp/systemd-private-[^/]+/tmp/.* <<none>> + # # /usr # @@ -265,6 +269,9 @@ ifndef(`distro_redhat',` /var/tmp/.* <<none>> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <<none>> +/var/tmp/systemd-private-[^/]+ -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) +/var/tmp/systemd-private-[^/]+/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) +/var/tmp/systemd-private-[^/]+/tmp/.* <<none>> /var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0) ifdef(`distro_debian',`
